PKI in Your Apps
Now that you have an idea what PKI and Signatures are about, look at a sample application that uses this technology. The following are the application's requirements:
Once the reviewer reads a document, he or she approves it with a signature.
Once the document is signed, the document can no longer be modified, and the signature is stored to prove that the reviewer has validated it.
The medical or quality assurance fields are logical areas for such an application, where test results need to be reviewed and approved by a specialist and proof needs to be kept for auditing purposes in case something goes wrong.
Also, for the sample application, I simulate keycard technology using a floppy disk. Keycards are often used in conjunction with a PKI to store a user's private key information. Such an application requires a user to insert his or her keycard into a card reader and enter a password. The password is used to decrypt the private key information on the card. (If this concept sounds familiar, it should; your bank card uses a similar technology.)
Here's how the application works:
- The reviewer starts the application and uses the Document>Open menu, which displays a dialog listing the available documents in the database.
- The reviewer selects a document from the list and opens it.
- After he's read through it, the reviewer clicks the Sign Document button on the toolbar.
- The system requires the reviewer to insert his floppy disk (keycard) in drive A:\ and input his username and password.
- The system validates the username and password against the information in the database.
- The system uses the password to decrypt the Private Key data stored on the floppy disk.
- The system uses the Private Key data to generate a signature for the document.
- The signature is stored in the database, and the document is now considered approved (
You can download the full source code for this application. To better explain how the encryption and signing process works, I'll drill down on two processes: signing a document and validating a signature.
Signing a Document Digitally
So how does one go about signing a document? As I stated earlier, a signature is a way of both making sure that the data in the document has not been tampered with and of authenticating the document as originating from the correct person. The first step in signing the document is to ask the user to insert his keycard (a floppy disk for the sample application) and then to prompt him for his username and password. The password is validated against the data contained in the database. It then is used to decrypt the private key information on the floppy disk (see Listing 1).
With the private key data retrieved, you can generate a signature for the document. Luckily, the RSA provider exposes a method for signing data, so you don't need to bother with the intermediary steps. You can go right to generating the signature.
When dealing with the .NET framework's Cryptography functions, all your strings have to be converted to and from byte arrays. Do this with the
StringTobyteArray() functions provided in the sample code. The following snippet shows how to use these functions:
'Initialize the RSA provider
objRSAProvider = New RSACryptoServiceProvider()
'load up the stored private key data
'Generate the signature
arSignature = objRSAProvider.SignData(arDocText, "MD5")
'Convert the signature to a string
'(So we can easily store it)
strSignature = ByteArrayToString(arSignature)
The hash algorithm is specified as a parameter when calling the SignData() method. In the sample application, you use the MD5 algorithm to generate the digest. To complete the operation, the generated signature is inserted into the database and the status of the document is changed to approved (